Data Protection News Sept 18

Marketing companies are still a hotbed for ICO fines, sometimes through a lack of due diligence and sometimes due to misinterpretation of current legislation. It doesn’t help that the PECR (Privacy and Electronic Communications Regulation) and the GDPR (General Data Protection Regulation) are not 100% aligned.

PECR makes a distinction between contact information that is only for personal use (e.g. name@gmail.com) or only for business use, (e.g. name@company.com). It allows for email marketing under a ‘soft opt in’ if the marketing is for existing business customers and for similar products and services to which they already subscribe. GDPR treats all personally identifiable information the same and you need to specify one of six lawful bases for processing any personal data.

A recent LinkedIn post included a scanned letter from the ICO. The paraphrased question posed was: Can you use legitimate interests to market to personal corporate email addresses, where the soft opt-in does not apply? The ICO response was: You do not always need prior consent for marketing emails… you may be able to rely on Legitimate Interests to justify some of your business to business marketing.

“Hurrah!” marketeers cried “This is a game changer!”

At which point I gave a sigh and started trying to do damage control… no, not a game changer at all.

Yes, either informed consent or legitimate interests can be used as a lawful basis for marketing. But the aim of GDPR is to give people greater visibility and control of how their information is used and either of these lawful bases enforce this ethos – It is no less onerous for companies to use legitimate interests, than it is to use informed consent.

If you are using consent then data subjects must be explicitly informed what you intend to do with their data, you need to have an audit trail of their given consent and they must be able to withdraw consent as easily as it was given.

If you want to rely on legitimate interests, data subjects must be informed of this lawful basis for marketing in the privacy notices that you issue to them when you collect their data. They must also be informed of their right to object to marketing under legitimate interests and any objections must be immediately acted on (i.e. they can still ‘opt out’).

So, while there is a choice of method, I am happy to say that there is no loop hole to get away from the due diligence of informing people about your intent to market and giving them the ability to easily opt out.

The number of Data Breaches being reported in the media is still a consistent rate of 120 – 140 breaches per quarter. The biggest global breaches from Q3 were:

• Hiazhu hotel chain – 130 million customers affected
• Chegg – 40 million customers
• Timehop – 21 million users

There were also some notable UK breaches in the last 3 months:

British Airways – credit card details of 380,000 customers were stolen during 2-week cyber-attack on their website.

Butlins – suffered a data hack affecting 34,000 customers caused by a phishing email.

NHS – suffered a data breach caused by a coding error which exposed 150,000 patient records.

As well as the record breaking Equifax fine, there were other six-figured fines in the last quarter:

• BUPA Insurance Services fined £175,000
• Lifecycle Marketing fined £140,000
• AMS Marketing fined £100,000
• Independent Inquiry into Child Sexual Abuse fined £200,000

The total of ICO fines for 2018 so far is £4.8m which has exceeded the 2017 year-end total of £4.2m.

For more detailed information about ICO fines, see the ICO enforcement webpage:

https://ico.org.uk/action-weve-taken/ enforcement/